add session recording mechanism

handlers/main.yml

@@ -5,6 +5,11 @@
     name: sshd
     state: restarted
 
+- name: restart_sssd
+  ansible.builtin.service:
+    name: sssd
+    state: restarted
+
 - name: restart_httpd
   ansible.builtin.service:
     name: httpd

init-rocky-session-recording.yml

@@ -0,0 +1,38 @@
+---
+# Sets up session recording via tlog. This does similar work to the
+# linux-system-roles.tlog role, but with modifications. The expectation
+# is that the system is enrolled to FreeIPA.
+- name: Configure session recording
+  hosts: all
+  become: true
+
+  # This is to try to avoid the handler issue in pre/post tasks
+  handlers:
+    - import_tasks: handlers/main.yml
+
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      ansible.builtin.assert:
+        that:
+          - "not no_ansible.stat.exists"
+        success_msg: "We are able to run on this node"
+        fail_msg: "/etc/no-ansible exists - skipping run on this node"
+
+  tasks:
+    - name: Loading Variables from OS Common
+      import_tasks: tasks/tlog.yml
+
+  post_tasks:
+    - name: Touching run file that ansible has ran here
+      ansible.builtin.file:
+        path: /var/log/ansible.run
+        state: touch
+        mode: '0644'
+        owner: root
+        group: root
+...

tasks/tlog.yml

@@ -0,0 +1,44 @@
+---
+- name: Install necessary packages
+  ansible.builtin.dnf:
+    name:
+      - tlog
+      - sssd
+
+- name: Configure SSSD on the system for files domain
+  community.general.ini_file:
+    path: "/etc/sssd/sssd.conf"
+    section: sssd
+    option: enable_files_domain
+    value: "true"
+  notify: restart_sssd
+
+- name: Add session recording configuration
+  ansible.builtin.template:
+    src: "etc/sssd/conf.d/session-recording.conf"
+    dest: "/etc/sssd/conf.d/session-recording.conf"
+    owner: root
+    group: root
+    mode: '0600'
+  notify: restart_sssd
+
+- name: Enable the files domain through authselect
+  command: >
+        /usr/bin/authselect select custom/sssd-rocky
+        without-nullok
+        with-faillock
+        with-mkhomedir
+        with-sudo
+        with-files-domain
+        --force
+  notify: restart_sssd
+  changed_when: true
+
+- name: Configure tlog itself
+  ansible.builtin.template:
+    src: "etc/tlog/tlog-rec-session.conf"
+    dest: "/etc/tlog/tlog-rec-session.conf"
+    owner: root
+    group: root
+    mode: '0644'
+...

templates/etc/sssd/conf.d/session-recording.conf

@@ -0,0 +1,3 @@
+# RESF Managed
+[session_recording]
+scope = all

templates/etc/tlog/tlog-rec-session.conf

@@ -0,0 +1,83 @@
+// Managed by the RESF
+//
+// Tlog-rec-session system-wide configuration. See tlog-rec-session.conf(5) for details.
+// This file uses JSON format with both C and C++ comments allowed.
+//
+{
+    // The path to the shell executable which should be spawned.
+    // "shell" : "/bin/bash",
+
+    // A message which will be printed before starting
+    // recording and the user shell. Can be used to warn
+    // the user that the session is recorded.
+    "notice" : "\n** Session recording now in progress\n\n",
+
+    // The number of seconds to cache captured data for before logging.
+    // The encoded data which does not reach payload size
+    // stays in memory and is not logged until this number of
+    // seconds elapses.
+    // "latency" : 10,
+
+    // The maximum encoded data (payload) size per message, bytes.
+    // As soon as payload exceeds this number of bytes,
+    // it is formatted into a message and logged.
+    // "payload" : 2048,
+
+    // Logged data set parameters
+    "log": {
+        // If true, user input is logged.
+        // "input" : false,
+
+        // If true, terminal output is logged.
+        // "output" : true,
+
+        // If true, terminal window size changes are logged.
+        // "window" : true
+    },
+
+    // Logging limit parameters
+    "limit": {
+        // The maximum rate messages could be logged at, bytes/sec.
+        // "rate" : 16384,
+
+        // The number of bytes by which logged messages are allowed to exceed
+        // the rate limit momentarily, i.e. "burstiness".
+        // "burst" : 32768,
+
+        // The logging limit action.
+        // If set to "pass" no logging limits will be applied.
+        // If set to "delay", logging will be throttled.
+        // If set to "drop", messages exceeding limits will be dropped.
+        // "action" : "pass"
+    },
+
+    // File writer parameters
+    "file": {
+        // The "file" writer log file path.
+        // "path" : ""
+    },
+
+    // Syslog writer parameters
+    "syslog": {
+        // The syslog facility "syslog" writer should use for messages.
+        // "facility" : "authpriv",
+
+        // The syslog priority "syslog" writer should use for messages.
+        // "priority" : "info"
+    },
+
+    // Journal writer parameters
+    "journal": {
+        // The syslog-style priority "journal" writer should use for messages.
+        // "priority" : "info",
+
+        // If true, the "journal" writer copies the following JSON fields
+        // to Journal fields: user -> TLOG_USER, session -> TLOG_SESSION,
+        // rec -> TLOG_REC, and id -> TLOG_ID.
+        // "augment" : true
+    },
+
+    // The type of "log writer" to use for logging. The writer needs
+    // to be configured using its dedicated parameters.
+    // "writer" : "journal"
+}